The reporting is great, and I’m looking forward to our upgrade to version 12 that is going to double the reporting capabilities with lots of diagnostics data. It’s tried and true for our law enforcement users and just works. Given the importance of VPNs for our business units we have decided to switch everyone to NetMotion Mobility. I was able to come up with a fix script for the issues, but still a fair amount of labor to maintain the VPN.
Unfortunately the Windows 10 VPN seems fragile. Split-vpn features are great, with the ability to control dns queries, proxy settings, and app-specific routing. I can see what machine is connected live, but that info isn’t there in the logs for some reason. Using certs this works quite well, but logging isn’t very good on the FortiGate.
You could as easily use a user-based connection instead with Win 10 Pro machines. A small percentage (like LTE users) will crash and burn and you’ll need a remote access solution to get FortiClient fixed.īeing tired of all this I decided to experiment with the Windows 10 Enterprise device-tunnel Always-On IKE v2 vpn with FortiGates.
If you expose the install port most remote installs can be accomplished too. Also, if you want to manage a lot of remote FortiClient installs you need to expose the EMS server to the Internet (at least FortiClient management port 8013). This wastes a lot of labor and time is money so that’s a black mark against the product IMO. FortiClient isn’t high quality software and needs a lot of testing/debugging with each new version. I have been administering FortiClient VPNs and later FortiClient EMS for a long time now. More often than not, users completely ignore this and just login to Windows normally and now you have to be concerned with what GPO's aren't running because you cannot contact a DC as part of the login process. If you want users to have a VPN connection before logging into windows, they have to click the "logon with network" icon in the bottom right corner of the W10 login screen, which will connect the VPN first then pass-through those creds to Windows to complete the Windows login (assuming they are all the same creds). The biggest downsides of the native VPN client for me are:Ĭannot control split tunneling from the head end - Must add rules via PowerShell on the client for split tunnel networks I train users to always using the "login with network" option but if they don't do that, they are trained to click the "Connect VPN" shortcut. While users can connect it from the system tray network icon, there has been a bug that seems to pop itself up with random W10 updates where VPN's will sometimes fail to connect when using that method. I create an "allusers" VPN profile with a single PowerShell command, and drop a desktop shortcut that says "Connect VPN" that invokes "rasphone -d " to connect. I find the connection itself to be very reliable. I'm not concerned about the L2TP/IPsec mix aspect of it (which is all Meraki will support). Still dealing with Meraki devices, I support a number of users that use the W10 VPN and it works just fine. Has anyone switched from using the Forticlient VPN Only client to Windows 10 Native (IPSEC not SSL)?Īny issues/problems encountered by those who use the Windows native client? It also increases the number of software packages that need to be kept up to date, adding to the likelihood that some out-of-date software will be in use. Using a third-party VPN client increases the risk that operating system integration will be poor, and that consequently, some data may be sent outside the VPN. However, a range of commercially available third-party VPN clients exists. We recommend using the native client where possible, and our platform specific guidance provides configuration details. For example, there’s often no ability to configure routing rules, exceptions, or split tunnelling. Integrated clients are normally free to use, work reliably, and are updated automatically, but can also be relatively limited in functionality. Most operating systems have a built-in VPN client available which can either be configured on the device or managed remotely. In addition, there are some recommendations (for sensible reasons) to use the native OS client that would dispense with these problems. This is relatively easy to deploy/configure but becomes problematic when updates are required to plug security holes.Īs any upgrade requires a removal/reboot/reinstall it's pain when we're talking about hundreds of endpoints.
Only a few use licenced FortiClients with EMS and the benefits of support/Vulnerability scanning and the extra features that the full blown client provides.įor many others it's the free/unsupported FortiClient VPN only client that's in use. We are an msp who supply/support FortiGates to a number of clients.